(New change proposal.) |
mNo edit summary |
||
| Line 1: | Line 1: | ||
<!-- Self Contained or System Wide Change Proposal? | <!-- Self Contained or System Wide Change Proposal? | ||
Use this guide to determine to which category your proposed change belongs to. | Use this guide to determine to which category your proposed change belongs to. | ||
| Line 80: | Line 78: | ||
<!-- Please check the list of Fedora release deliverables and list all the differences the feature brings --> | <!-- Please check the list of Fedora release deliverables and list all the differences the feature brings --> | ||
* Policies and guidelines: | * Policies and guidelines: None.<!-- REQUIRED FOR SYSTEM WIDE CHANGES --> | ||
<!-- Do the packaging guidelines or other documents need to be updated for this feature? If so, does it need to happen before or after the implementation is done? If a FPC ticket exists, add a link here. --> | <!-- Do the packaging guidelines or other documents need to be updated for this feature? If so, does it need to happen before or after the implementation is done? If a FPC ticket exists, add a link here. --> | ||
* Trademark approval: | * Trademark approval: None. (not needed for this Change). | ||
<!-- If your Change may require trademark approval (for example, if it is a new Spin), file a ticket ( https://fedorahosted.org/council/ ) requesting trademark approval from the Fedora Council. This approval will be done via the Council's consensus-based process. --> | <!-- If your Change may require trademark approval (for example, if it is a new Spin), file a ticket ( https://fedorahosted.org/council/ ) requesting trademark approval from the Fedora Council. This approval will be done via the Council's consensus-based process. --> | ||
| Line 130: | Line 128: | ||
== Documentation == | == Documentation == | ||
Follow the [[Features/SharedSystemCertificates]] with OpenSSL specifics. | Follow the [[Features/SharedSystemCertificates]] with OpenSSL specifics. Related bugzilla [[https://bugzilla.redhat.com/show_bug.cgi?id=1270678 bug]] discussing the change. | ||
== Release Notes == | == Release Notes == | ||
| Line 138: | Line 136: | ||
Release Notes are not required for initial draft of the Change Proposal but has to be completed by the Change Freeze. | Release Notes are not required for initial draft of the Change Proposal but has to be completed by the Change Freeze. | ||
--> | --> | ||
Default configuration | Default configuration does not point to /etc/openldap/certs for CA certificates any more. Instead, OpenLDAP now implicitly uses Shared System Certificates. | ||
[[Category:ChangePageIncomplete]] | [[Category:ChangePageIncomplete]] | ||
Revision as of 20:08, 8 January 2018
Summary
In order to go forward with adoption of SharedSystemCertificates after this change OpenLDAP clients and server will default to use only the system-wide certificates store.
Owner
- Name: Matus Honek
- Email: mhonek@redhat.com
- Release notes owner:
Current status
- Targeted release: Fedora 28
- Last updated: 2018-01-08
- Tracker bug: <will be assigned by the Wrangler>
Detailed Description
Currently, OpenLDAP defaults to trust CA certificates located in /etc/openldap/certs. In order to comply with SharedSystemCertificates we will remove the default explicit configuration options that point to /etc/openldap/certs. Therefore, OpenLDAP will let its crypto library (OpenSSL) load the default CA certificates as described in the SharedSystemCertificates description. For a convenience, where possible, configuration files will contain a commentary with an explanation of the new behaviour.
Benefit to Fedora
Simplification of trust handling which is also the aim of the SharedSystemCertificates effort.
Scope
- Proposal owners: change of default shipped configuration.
- Other developers: check your application trusts whom you want it to trust
- Release engineering: #Releng issue number (a check of an impact with Release Engineering is needed)
- List of deliverables: N/A (not a System Wide Change)
- Policies and guidelines: None.
- Trademark approval: None. (not needed for this Change).
Upgrade/compatibility impact
There should be no upgrade impact at all as the only updated parts are configuration files which are not overwritten when upgraded, only .rpmnew files should appear accordingly. Therefore, only newly installed packages would ship with the changed default configuration.
How To Test
New installations should by default use what system-wide certificates store use. This means one should be able to make use of CA certificates as before but now they should be by default present in the system certificate store. When CA certificate would be migrated to the system certificate store and no explicit CA certificates location would be configured then TLS connections should behave as before.
User Experience
New installations will use the new default configuration, therefore users should alter their provisioning scripts to make use of system certificate store. Of course, explicitly setting the previous location will work as expected.
Dependencies
None.
Contingency Plan
- Contingency mechanism: Revert configuration changes.
- Contingency deadline: beta freeze.
- Blocks release? No.
- Blocks product? No.
Documentation
Follow the Features/SharedSystemCertificates with OpenSSL specifics. Related bugzilla [bug] discussing the change.
Release Notes
Default configuration does not point to /etc/openldap/certs for CA certificates any more. Instead, OpenLDAP now implicitly uses Shared System Certificates.